Questions and answers: Marking

by Mark Riddle

Markings during phased implementation

  1. When can I start using the CUI markings and following the requirements of the CUI Program?

Until directed by your agency’s guidance, executive branch employees and contractors supporting Government agencies must not use CUI markings and other CUI requirements.

  1. When will CUI markings and practices take effect?

Your agency will create guidance and training that will address how and when to mark information CUI. Since each agency is following its own timeline for implementation, you
may begin to receive information marked as CUI before your own agency begins implementing the Program.

  1. What do I do if I receive marked CUI and my agency has not yet implemented the program?

Follow your agency’s guidance in how to handle such marked information.


Marking requirements

  1. Why do we need to mark our information?

Markings allow recipients to tell at a glance that they have something that requires protection. Not marking CUI would result in failure to adequately identify unclassified information requiring control, or lead to unauthorized disclosure and improper handling. The results could subject employees, contractors, partners, and other recipients of CUI to an increased likelihood of sanctions for mishandling information that laws, Federal regulations, and Government-wide policies require them to handle as CUI.

  1. What is always required when marking CUI?

The CUI banner markings and designation indicators are required when marking CUI.

  1. When do agencies use a category/subcategory in the marking?

Category markings are mandatory in the case of CUI Specified; and used for CUI Basic when required by agency policy (encouraged). Category markings are approved by the CUI EA and are associated with the categories and subcategories listed in the CUI Registry.


Designation and administrative indicators

  1. What is a designation indicator and what are the best ways to display it on a document?

A designation indicator is a required marking that must be included on the first page (or cover page) of a document to inform the holder of the information of what agency created that information. It must indicate what agency created the information, but may include more information as well, like the office, address, email, or phone number.

This information can be displayed by using agency letterhead or including a “Controlled by” line on the first page.

  1. What if a law, Federal regulation, or Government-wide policy requires a specific indicator?

For some CUI Specified, there may be required indicators prescribed by law, Federal regulation, or Government-wide policy. These indicators must not be included in the CUI banner or portion markings, but must appear in a manner readily apparent to authorized personnel and consistent with the requirements of the relevant law, Federal regulation, or Government-wide policy.

  1. How do supplemental administrative markings or indicators (e.g., “draft,” “predecisional,” “deliberative”) coexist with CUI markings?

Administrative markings must not be incorporated into CUI banners or duplicate any marking in the CUI Registry. They may be used only to indicate the non-final status of documents under development to avoid confusion and maintain the integrity of an agency’s decision-making process. Follow your agency’s CUI guidance for requirements on using supplemental administrative markings.


Marking ‘legacy’ information

  1. How will sensitive unclassified information that was marked prior to implementation of the CUI Program be handled?

Sensitive unclassified information that was marked prior to the implementation of the CUI Program which meets the standards for CUI is considered legacy information. Agencies are not required to review and re-mark legacy information until and unless the information is re-used, restated, or paraphrased. Once an agency has implemented the CUI Program, legacy markings such as FOUO must not be carried forward and new documents containing the information must be marked in accordance with the requirements of the Program.


Portion markings

  1. Are portion markings required for CUI?

Portion marking of CUI is not required except when commingled with classified information. When not commingled with classified information, agency policies may require portion marking to facilitate information sharing and proper handling of the information.

  1. What do I do if I receive CUI in an unclassified environment that is portion marked and I need to reuse some of the information in a new document?

Your agency will provide guidance on whether you can use CUI portion markings. Agencies are permitted and encouraged to portion mark all CUI to facilitate information sharing and proper handling.

  1. What does the “(U)” portion marking mean?

When portion markings are used, a “U” is placed in parentheses to indicate that the portion contains uncontrolled unclassified information. The use of this marking does not mean that the portion is available for immediate public release. Employees must release information to the public in accordance with applicable agency release policies and procedures.


Limited dissemination control markings

  1. What are Limited Dissemination Control markings?

Agencies may place additional limits on disseminating CUI only through the use of the limited dissemination controls approved by the CUI Executive Agent and published in the CUI Registry. These limited dissemination controls are separate from any controls that a CUI Specified law, Federal regulation, or Government-wide policy requires or permits. Follow your agency’s guidance on the application of limited dissemination controls and corresponding markings.


CUI markings and FOIA

  1. Does marking information as CUI preclude the information from being reviewed and potentially released if it is requested under the provisions of the Freedom of Information Act (FOIA) or otherwise considered for public release?

Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release.


6 thoughts on “Questions and answers: Marking

  1. Have any federal agencies implemented the new CUI Program yet? When they do, will a link to their respective policy document be included on the CUI Registry? Will a blog post be made when each federal agency comes out with their new CUI policy and implementation?

    1. Good afternoon,

      The CUI Program will be implemented in phases within Executive branch agencies and as of today there are no agencies that have fully implemented the program. By phases I mean that agencies must first issue a policy that adapts existing practices to those of the CUI Program. Once policy is established, agencies can begin to train the workforce, adapt physical safeguards, and system configurations to align to these standards. There are no plans to provide links to agency implementing policy from the CUI Registry. Some agencies are planning to post their policies to a public facing website. There are no plans to post to the blog when agencies issue their policies but we will be addressing the progress of agencies to implement the program during our regular updates to stakeholders (next is scheduled for Feb 15, 2018, 1-3 EDT).

      Please let me know if you have any additional questions.

      Mark Riddle

  2. Has this changed yet: When can I start using the CUI markings and following the requirements
    of the CUI Program?
    Until directed by your agency’s guidance, executive branch employees and contractors
    supporting Government agencies must not use CUI markings and other CUI requirements.

    1. No, this has not changed yet. You must not mark CUI unless your Agency has a CUI Program Policy in place and if your contract states you should be marking CUI

    1. The CUI cybersecurity requirements for Video Live Streaming while teleworking would be/are the same as the CUI cybersecurity requirements for any application or system that stores, processes, or transmits CUI. If the system is a federal system then it must meet, at a minimum , moderate confidentiality. If it is a non-federal system, then it must be configured in compliance with NIST SP 800-171 (only as required by law, regulation, contract, or agreement). NSA has posted some potentially helpful information that we point to in this blog post:

Leave a Reply